Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?

    • cronOP
      link
      fedilink
      arrow-up
      56
      arrow-down
      1
      ·
      4 months ago

      OWASP recommendation is to allow 64 chars at least:

      Maximum password length should be at least 64 characters to allow passphrases (NIST SP800-63B). Note that certain implementations of hashing algorithms may cause long password denial of service.

      The lemmy-UI limit is reasonably close and as everything is open source, we can verifiy that it does hash the password before storing it in the database.

      There is a github issue, too.

    • faltryka@lemmy.world
      link
      fedilink
      arrow-up
      15
      arrow-down
      1
      ·
      4 months ago

      It being open source helps because we can confirm it’s not being mishandled, but it’s generally arbitrary to enforce password max lengths beyond avoiding malicious bandwidth or compute usage in extreme cases.